This is an archived post. You won't be able to vote or comment.

85
86

Be careful with CloudFlare (self.privacy)

no-idea-for-username 投稿

Well, first of all, let me explain what is CloudFlare. CloudFlare is a CDN (content delivery network) which acts as a reverse proxy, saving bandwhidt and protecting websites against denial-of-service attacks. Some of their plans are free. This sounds very interesting, specially for individuals or small companies which can't afford a very sofisticated infrastructure to their own websites.

However, in order to do this, they act literally as a MITM (man-in-the-middle), even in SSL connections. They do a lot of marketing saying they are helping to improve to internet security bringing SSL connections for all the websites which use their services. Well, you conection is really encrypted, but only until the CloudFlare's servers. After that, the conection between CloudFlare and can simply be unencrypted, if the website operator choose to do so. Or still can be encrypted (between CloudFlare servers and website servers) but the contents of what you're viewing and sending on that website remains visible to CloudFlare, even in the so-called full strict SSL. So, although an encrypted conection can be good, even if it's just until CloudFlare's servers (which at least creates a protection on unsecure wi-fis or shitty ISPs), they aren't telling clearly the whole story thanks to their PR management.

Do you want to check this? Simple: go to any website with a SSL connection behind CloudFlare and check the certificate. You'll notice the certificate was emited for something.cloudflaressl.com instead of the original website address. Yet the web browser accepts this type of certificate as valid and shows the lock in the address bar.

All of this creates an interesting paradox with Tor. In one side, the ability of having a SSL conection, even if it's only until the CloudFlare servers, helps to protect your browsing against a malicious exit node. However, on the other side, they require you to enable JavaScript in order to avoid those terrible and unreadable captchas.

So, my friends, be careful with this company. As they grown more and more, they can learn about your browsing habits and harm your privacy. If you access a website behind CloudFlare, avoid putting sensitive information on there, because all the contents are accesible to them. Even in their Keyless SSL which is used by some US banks, the contents of the pages are still accesible to them. And if you're just creating your own website, please, avoid them.

Reccomended readings:

https://info.ssl.com/the-real-cost-of-a-cloudflare-free-ssl-certificate/

https://scotthelme.co.uk/tls-conundrum-and-leaving-cloudflare/?PageSpeed=noscript

全 67 件のコメント
並べ替え:
ベスト
トップ新着論争中古い順Q&A

[–]Youknowimtheman 10 ポイント11 ポイント  (8子コメント)

This is accurate.

In order for web servers to not throw security warnings on Cloudflare, the cert and private key has to be submitted to the CDN. This puts the web servers security at the mercy of Cloudflare servers. If you trust that they can secure their infrastructure, and will not act in bad faith, it is a great feature, especially for websites that frequently come under attack. If you are a Wikileaks or a Tor Hidden Service... I wouldn't advise it.

To be clear, the "Strict" setting uses the servers actual key for the CDN, the other https settings use Cloudflare self-signed keys which some browsers accept and others throw scary warnings for because Cloudflare isn't a trusted root for that particular browser.

[–]ProGamerGov 3 ポイント4 ポイント  (0子コメント)

The Tor Project is apparently working on a specialized decentralized mechanism for defending onion sites from DDoS sites. Not sure what WikiLeaks uses.

[–]no-idea-for-username[S] 1 ポイント2 ポイント  (5子コメント)

Just a correction, CloudFlare doesn't require your private keys. They work with their own keys.

For example, you can go to https://getmonero.org and see the full certificate details. In the "common name" part, you can see the certificate was emitted to ssl277392.cloudflaressl.com and signed by Comodo (nearly all CloudFlare certs are emitted by Comodo and signed in this way). Unfortunately, the major web browsers accept this type of certificate as valid and don't alert for any mismatch (including Tor Browser).

The majority of websites behind CloudFlare using SSL encryption have this behaviour. The Strict SSL works encrypting your conection between your browser and CloudFlare servers using the CloudFlare owned keys, all of them signed by Comodo BTW. Then, a new conection between the CloudFlare server and the websites servers is done, but this part of this conection is done with the own servers key. The only difference between Flexible SSL and Strict SSL is just about the connection being encrypted between the CloudFlare servers and the websites servers. The first link in the OP explains this very well.

There is the possibility of you uploading your server's private key to them, but this is reserved for business and enterprise accounts.

[–]AdamJacobMuller 4 ポイント5 ポイント  (0子コメント)

the "common name" part, you can see the certificate was emitted to ssl277392.cloudflaressl.com and signed by Comodo (nearly all CloudFlare certs are emitted by Comodo and signed in this way). Unfortunately, the major web browsers accept this type of certificate as valid and don't alert for any mismatch (including Tor Browser).

Because there is no mismatch.

The certificate at getmonero.org, for example:

    Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO Domain Validation Secure Server CA 2
    Subject: OU=Domain Control Validated, OU=PositiveSSL Multi-Domain, CN=ssl277390.cloudflaressl.com
        X509v3 Subject Alternative Name: 
            DNS:ssl277390.cloudflaressl.com, DNS:*.airliftcompany.com, DNS:*.britishschool.edu.my, DNS:*.caliberco.com, DNS:*.chores.com, DNS:*.cruzcrowd.com, DNS:*.gentracer.com, DNS:*.getmonero.org, DNS:*.imhomeapp.com, DNS:*.jobsgrowth.org, DNS:*.jpmsrv.com, DNS:*.lifeandkitchen.com, DNS:*.linkmo.com, DNS:*.makensi.es, DNS:*.merchantcantoslive.com, DNS:*.monero.cc, DNS:*.neoclinical.com, DNS:*.netsolcon.com, DNS:*.onlanka.com, DNS:*.payasyoutrack.com, DNS:*.payb.ee, DNS:*.pdfnomo.re, DNS:*.personkillian.com, DNS:*.praxisdienst.com, DNS:*.rayplastics.com, DNS:*.riskfocus.com, DNS:*.tamilsongskey.com, DNS:*.validate.trade, DNS:*.zingsockclub.com, DNS:airliftcompany.com, DNS:britishschool.edu.my, DNS:caliberco.com, DNS:chores.com, DNS:cruzcrowd.com, DNS:gentracer.com, DNS:getmonero.org, DNS:imhomeapp.com, DNS:jobsgrowth.org, DNS:jpmsrv.com, DNS:lifeandkitchen.com, DNS:linkmo.com, DNS:makensi.es, DNS:merchantcantoslive.com, DNS:monero.cc, DNS:neoclinical.com, DNS:netsolcon.com, DNS:onlanka.com, DNS:payasyoutrack.com, DNS:payb.ee, DNS:pdfnomo.re, DNS:personkillian.com, DNS:praxisdienst.com, DNS:rayplastics.com, DNS:riskfocus.com, DNS:tamilsongskey.com, DNS:validate.trade, DNS:zingsockclub.com

[–]Youknowimtheman 2 ポイント3 ポイント  (2子コメント)

It depends on if you need to present your own private key or not. The "strict" setting requires that you upload your own SSL key and cert, and yes, that is for business and enterprise.

[–]voyagerfan5761 -1 ポイント0 ポイント  (1子コメント)

Actually, the "Strict" setting merely requires that the origin server have a valid (signed by trusted root) certificate instead of a self-signed cert that would suffice for normal "Full" SSL.

Source: CloudFlare's own documentation

[–]Youknowimtheman -1 ポイント0 ポイント  (0子コメント)

You seem to be arguing a point that I wasn't making. If you want Cloudflare to use your cert for the CDN and not their own, you have to upload it and the private key to Cloudflare.

[–]AsteriskMC 1 ポイント2 ポイント  (0子コメント)

It's because it's a multi-domain certificate and they use SANs (Subject Alternative Names)

[–]gospelwut 0 ポイント1 ポイント  (0子コメント)

My .pem also sits on a VM on my hosting provider. It's "end to end" but there's really nothing stopping them from yanking that fucker. They conatrol the hypervisor (and the network).

[–][削除されました]  (4子コメント)

[deleted]

    [–]mr_malware 22 ポイント23 ポイント  (0子コメント)

    [deleted]

    [–]timmygoestohollywood 7 ポイント8 ポイント  (2子コメント)

    If it isn't encrypted client-side and send as a hash only than yes! Cloudfare is in fact the MITM and as such it needs to have copies of the certificates.

    Yes!

    And to be honest this is terribly old news and has been known to anybody that just took a slight look into Cloudfare.

    So nothing new to see here, move along!

    [–]beardog108 14 ポイント15 ポイント  (0子コメント)

    It might not be new to you or me, but that doesn't mean awareness shouldn't be spread.

    [–]furious_nipples 6 ポイント7 ポイント  (0子コメント)

    Sad truth of the day:

    That SSL connection in your url bar right now? CloudFlare. :(

    [–]2005C 10 ポイント11 ポイント  (9子コメント)

    Fuckers and their captcha.... I hate it, it hates my VPN.

    [–][deleted] 2 ポイント3 ポイント  (6子コメント)

    It hates blacklisted IPs. I changed provider recently, and a positive side effect to the better performance was that their IPs aren't blacklisted.

    [–][deleted] 2 ポイント3 ポイント  (5子コメント)

    Which was your previous one and which one do you have now? I'm currently with PIA and the captchas are killing me. It's as bad as when using Tor.

    [–]2005C 1 ポイント2 ポイント  (4子コメント)

    Right there with ya, PIA and captcha hell.

    [–][deleted] 0 ポイント1 ポイント  (3子コメント)

    I've contacted support and been on the forums but they're like: "You wouldn't sue the taxi driver if a drunk driver crashed into the taxi while you were in it." What a flawed analogy. They say they can't do anything about it. I'm not willing to continue my account though if they can't fix it.

    [–]2005C 1 ポイント2 ポイント  (2子コメント)

    they can alternate their ip addresses on the exits, that's what we pay them for. /u/TwentyYearsAgo which VPN did you switch to to relieve the captcha nonsense?

    [–][deleted] 1 ポイント2 ポイント  (1子コメント)

    I changed from Mullvad to OVPN, both Swedish providers, so probably not much help for you.

    /u/user64986

    [–][deleted] 0 ポイント1 ポイント  (0子コメント)

    At least now I know not to choose Mullvad. :)

    [–]anonlymouse 0 ポイント1 ポイント  (1子コメント)

    It seems they only do that while under heavy load. DOS protection is what they offer, that's how they provide it.

    [–][deleted] 0 ポイント1 ポイント  (0子コメント)

    For months I have this problem while on PIA. Every day every single CF protected website asks me every hour to type a captcha.

    [–]binlargin[🍰] 3 ポイント4 ポイント  (1子コメント)

    If I was the NSA, I'd DDoS HTTPS sites that have an interesting userbase but aren't important enough to hack until they moved to a CDN.

    [–]2005C 2 ポイント3 ポイント  (0子コメント)

    Looks like they already are.

    [–]mr_malware 13 ポイント14 ポイント  (24子コメント)

    [deleted]

    [–]FluentInTypo 4 ポイント5 ポイント  (0子コメント)

    AFAIK, there's been no evidence that CloudFlare has any desire to monitor your traffic. If there was any indication that CloudFlare was harvesting information for any reason, it would absolutely destroy their business, anyone who's anyone would jump ship.

    That's true, but it doesn't fit their business model; the have no reason to care, they're in the business of being a CDN and protecting against attacks, not in the business of selling your data

    Data is the new currency. Microsoft and even Google put on great airs in the beginning about how they didnt care about your data and in fact, wanted to protect it. Google went so far as to issue a user policy that explained how their careful use of cookies coud not unmask users in anyway and they did not retain any user data (policy pre-911) and immediately changed it just after 911.

    There were close to 50 good privacy bills in the house and senate prior to 911, every single one was abandonded in favor of the patriot act.

    Microsoft, just a year ago was still running its "scroogled" campaign, but it now not only embracing surveillence, baking it into win10, but also making it clear they will cooperate with the needs to national security.

    And now we have the freedom act and omnibus bill to further legalize surviellence, with both actually calling on private corporations to become part of the surveillence machine legally.

    The first step to data currency is having the data. You do this with promises of privacy protection, earning trust of customers. The second step is to monetize it and monetizing it almost always means data sharing.

    We have no garauntee that Cloudflare is not compromised during the brief decrypt at their server, just like google was between data centers. What we do have is a society entrenched in privacy concerns and the large corporations response is more surveillence and even official MITM practices. As long as its legal, they dont care about us.

    Our data is worth billions of dollars a year. Thats why Google is so rich (but you're not!). The true currency is data and everyone is happily giving it away for free.

    [–][削除されました]  (5子コメント)

    [deleted]

      [–]mr_malware 4 ポイント5 ポイント  (4子コメント)

      [deleted]

      [–]ProGamerGov 1 ポイント2 ポイント  (1子コメント)

      What about spy agencies using illegal splitters on the unprotected data streams caused by Cloudflare?

      [–]mr_malware 2 ポイント3 ポイント  (0子コメント)

      [deleted]

      [–]tomaxi 0 ポイント1 ポイント  (0子コメント)

      Anyone who does want to see your data, has easier ways of obtaining it short of hacking into CloudFlare.

      What's easier ways, hacking into Google?

      [–]2005C 1 ポイント2 ポイント  (3子コメント)

      If you use a VPN sites with cloudflare make you fill out captcha TO MAKE SURE YOU'RE A HUMAN

      [–]Youknowimtheman 1 ポイント2 ポイント  (2子コメント)

      That is because a lot of crappy people do crappy things from behind VPNs and other proxies, like DDOS attacks, scraping search services, spam email campaigns, etc.

      The Captcha does serve a purpose, even though it is inconvenient.

      [–]ProGamerGov 2 ポイント3 ポイント  (1子コメント)

      And some crappy website owners set Cloudflare to use impossible captcha, if it detects Tor, VPNs, etc...

      [–]tomaxi 0 ポイント1 ポイント  (0子コメント)

      And some crappy website owners

      For example?

      [–]anonlymouse 0 ポイント1 ポイント  (0子コメント)

      That doesn't mean the NSA/GCHQ can't demand they keep records of it and not talk to anybody about it.

      [–]cuddle-buddy 0 ポイント1 ポイント  (11子コメント)

      If there was any indication that CloudFlare was harvesting information for any reason, it would absolutely destroy their business, anyone who's anyone would jump ship.

      Yep, for instance... Reddit.... or the FBI

      [–]tomaxi 0 ポイント1 ポイント  (3子コメント)

      Yep, for instance... Reddit.

      But why the "ssl****.cloudfaressl.com" wasn't found from reddit certificate information?

      [–]cuddle-buddy 2 ポイント3 ポイント  (0子コメント)

      Not sure.. https://www.cloudflare.com/case-studies-reddit/

      [–]312c 0 ポイント1 ポイント  (0子コメント)

      Enterprise accounts have the option to have their own SSL cert served directly by CloudFlare: https://blog.cloudflare.com/keyless-ssl-the-nitty-gritty-technical-details/

      [–][deleted] -3 ポイント-2 ポイント  (6子コメント)

      True. However, if a CF employee fancied getting access to BTN, PTP or WCD perhaps that CF employee could easily steal any account on any of the top three or any site behind CF. Shocking when one things of it that sites that claim to put user security above and beyond everything else are quite happy to have all of their users accounts details pass through a third party being Cloud Flare. That being said why should any Gazelle based site that hides behind CF worry as no staff account IP's are ever logged.

      [–]312c 0 ポイント1 ポイント  (5子コメント)

      However, if a CF employee fancied getting access to BTN, PTP or WCD perhaps that CF employee could easily steal any account on any of the top three or any site behind CF

      Got any evidence to back up that claim? Didn't think so.

      Shocking when one things of it that sites that claim to put user security above and beyond everything else are quite happy to have all of their users accounts details pass through a third party being Cloud Flare

      User data will always pass through third parties on the way to a server; be it the ISP, the backbone carrier, the datacenter's routing and switches, the datacenter's server and hypervisor (if not-colo) or the site's server in a building not controlled by the site (if colo). Cloudflare has no history what-so-ever of interfering/tampering/monitoring their clients' traffic, and the day that they do is the day their company loses all business.

      [–]312c_is_BUTTHURT 0 ポイント1 ポイント  (2子コメント)

      Got any evidence an individual employee has never done anything nefarious? I didn't think so.

      [–][deleted] -2 ポイント-1 ポイント  (1子コメント)

      Odd how you ignore the part about Gazelle site staff never being logged but all the users are. Please tell us something we do not know. Fact is you are knowingly handing that data to CF and your details are not on the list are they so it's quite easy for you to post nonsense that we all know knowing that you are safe isn't it.

      [–]312c 3 ポイント4 ポイント  (0子コメント)

      I ignored it because it was nonsense. How exactly is any site running gazelle "handing that data to CF"? Staff use the exact same login page as users do. Cloudflare is a CDN, not a host, and therefore do not have any access to the table where gazelle stores users' IPs. If CF wanted to maliciously monitor and log all logins to a site they would get users and staff alike.

      [–]beardog108 2 ポイント3 ポイント  (0子コメント)

      I agree CloudFlare is dangerous, however isn't this inherent to normal domains? I mean the risk is lower, but can't your domain registrar just change your name servers to whatever they want and then intercept like CloudFlare does? (theoretically anyway).

      This is why .onion, .i2p, .bit are inherently better choices, not even just for anonymity.

      [–]FluentInTypo 1 ポイント2 ポイント  (3子コメント)

      As users, we should be letting website operators know all the times we abandon their site do to cloudflare. Cloudflare certainly isnt sharing the information with them. Perhaps, if they were alerted to the fake that hundreds, if no thousands of users a day never bother to go to their site bc of cloudflare, they might ditch them. A good reddit post can drive thousands of page veiws. I abandon 70 percent of my clicks due to cloudfuck.

      [–]2005C 0 ポイント1 ポイント  (0子コメント)

      I tweet to companies about it. You are right, they need to know.

      [–]312c 0 ポイント1 ポイント  (1子コメント)

      And without cloudflare nobody would be able to access the site due to DDOS

      [–]FluentInTypo 0 ポイント1 ポイント  (0子コメント)

      To be fair, there are other methods to protect against DDOS. I'm not claiming Cloudflare is evil, nor benevolent, but unless they fix the Tor/Capcha problem, their customers are losing out. I want to reward most of the sites I visit with pageviews, but given that I do a lot of mobile browsing, I cant bring myself to:

      • click a link, get a captcha.
      • Go into settings, enable javascript.
      • Reload link
      • enter capcha a few times as one undoubtedly fails
      • finally read and appreciate someones hard work.
      • click into settings and disable javascript until the next blocked link.

      Instead, I end up asking someone to copypaste the article in comments so we all can read it without having to capcha.

      Cloudflare is forcing me to either abandon my own security by enabling javascript, or abandon my respect for web-authors by asking others to "steal their work" on my behalf so I can read it. Either way, my ethics get compromised and the cloudflare hosted website author gets screwed. (Or yes, I could perform all the steps to enable and fill out the damn captcha on a case by case basis)

      [–]Cannon-C 6 ポイント7 ポイント  (0子コメント)

      Cloudflare is the cancer of the internet.

      [–]epigrams 0 ポイント1 ポイント  (1子コメント)

      What would be the difference between cloudflare and say maxcdn?

      [–]beardog108 1 ポイント2 ポイント  (0子コメント)

      Both are effectively giving control of your website to a third party, just to different extents.

      [–][deleted] 0 ポイント1 ポイント  (0子コメント)

      I'm late but CloudFlare is participating in shady activity anyway: https://en.wikipedia.org/wiki/CloudFlare#Controversies

      [–]Michael_Fuller 0 ポイント1 ポイント  (0子コメント)

      Thanks for the info, i didn't think about it this way. I am using not Cloudflare, but the same thing http://cdnsun.com/. Are these problems applicable to all cdn services? I am using it not for protection, just for good loading speed for my website in different regions.

      [–][deleted] 0 ポイント1 ポイント  (0子コメント)

      Holy shit fuck, that is unnerving to say the least.

      [–]AsteriskMC 0 ポイント1 ポイント  (0子コメント)

      If we're looking for ssl, just go with https://letsencrypt.org

      [–]TotesMessenger -1 ポイント0 ポイント  (0子コメント)

      I'm a bot, bleep, bloop. Someone has linked to this thread from another place on reddit:

      If you follow any of the above links, please respect the rules of reddit and don't vote in the other threads. (Info / Contact)

      [–][削除されました]  (1子コメント)

      [deleted]

        [–]312c 0 ポイント1 ポイント  (0子コメント)

        crimeflare is super inaccurate and mostly FUD

        [–]akeryw -4 ポイント-3 ポイント  (6子コメント)

        Install https://addons.mozilla.org/en-US/firefox/addon/decentraleyes/ to avoid connecting with CDNs.

        [–]beardog108 4 ポイント5 ポイント  (0子コメント)

        This doesn't apply entirely with Cloudflare (except maybe their JS CDN servers, which is a whole another thing entirely), because this doesn't work like normal CDNs. This is inherent to your entire connection to the website. There is really no way to get around it.

        Also i find while decentraleyes is a great idea (and i personally use it), its lacking a lot of CDN urls.

        [–][deleted] 2 ポイント3 ポイント  (4子コメント)

        And break an ungodly amount of websites

        [–]beardog108 1 ポイント2 ポイント  (2子コメント)

        Can you do some research before commenting? Decentraleyes emulates the loading of CSS/JS CDN code. It doesn't break sites.

        [–][deleted] 0 ポイント1 ポイント  (0子コメント)

        Ok, it turns out that they don't completely block CDN's to prevent breaking functionality

        When Decentraleyes is unable to fetch a required resource, it (by default) allows the request to keep the page from breaking. However, it will still take some measures to improve your privacy (see FAQ).

        [–]akeryw 0 ポイント1 ポイント  (0子コメント)

        I'm using this for weeks now, no website stopped working. What do you mean?